Vulnerability Analysis: SolarWinds Orion Network Management
Posted on 15th Dec, 2020 | By Sumeetha
SolarWinds Orion Platform Software is a Network Management tool that is widely used by over 300,000 customers worldwide. Entities like defense, government agencies, software companies, Fortune 500 companies use this platform to monitor IT stack from infrastructure to application. SolarWinds confirmed in their security advisory that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been infected with malware known as SUNBURST/Solorigate.
The reason why security agencies in the US are in panic is because SolarWinds is a widely used popular product. Here are a few stats that would help understand the gravity of this breach. Orion is used by -
- 425+ US Fortune 500 companies
- Top ten US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- Top five US accounting firms
- Hundreds of universities and colleges worldwide
CSW Insights & Key findings
A breach of this magnitude calls for a closer look. Here are a few key points from CSW’s Attack Surface analysis on known vulnerabilities and what’s been weaponized to date -
There are 102 vulnerabilities that exist in SolarWinds out of which 15 are present in Orion Platform Software.
- 4 CVEs are rated as critical, 1 as high and 9 as medium.
- 11 are old vulnerabilities ranging from years 2010 – 2019.
- CVE-2019-9546 – a critical Privilege Execution vulnerability is suspected to be the culprit that allowed this breach. There are well-known exploits for this vulnerability.
- Analysis of Common Weakness Enumeration reveals that CWE-79 (Improper Neutralization of Input during Web Page Generation) is popularly used to exploit Orion’s vulnerabilities.
- We found no publicly associated APTs group and ransomware with these 15 vulnerabilities at the time of writing this analysis.
How the attack unfolded?
SolarWinds security advisory revealed that they were compromised early in 2020 but there is reasonable doubt to surmise that they might have been attacked as early as 2019 when FTP credential of SolarWinds was leaked onto Github.
SolarWinds, however, maintains that the threat actors installed a backdoor to a key library in early 2020. This library was then delivered to select SolarWind customers through their normal updating process. This led to SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 to be potentially affected. As an IT management platform, this backdoor provides a perfect getaway to an attacker who can enable/disable security tools, configurations or prevent patch applications that would mitigate the risk of these vulnerabilities.
Here is a MITRE map of how this attack might have unfolded –
Our exposure analysis identified overall 1687 internet facing SolarWinds products and 699 are from the US and 56 are from India. Network Management Tools should never be exposed to the Internet. Incidentally, CSW warned about six CVEs (CVE-2019-9017, CVE-2019-3980, CVE-2019-3957, CVE-2015-8220, CVE-2013-3249 and CVE-2018-12897) in our Cyber Risk series when we researched on potentially vulnerable products that could be breached during the COVID-19 lockdown.
This is a massive attack launched simultaneously at sensitive government agencies with an intent to cripple the country. The attackers have surreptitiously monitored email communication of several federal agencies and have launched this attack. Here are a few recommendations to keep your organization safe -
- Patch all vulnerabilities related to Solar Winds.
- It is recommended to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.
- Isolate your network from SolarWinds severs and restrict the scope of connectivity until further investigation is done.
- Consider changing passwords to ensure security of your environment.